Typically Windows Server supports two types of VPN connections: PPTP
(Point-to-Point Tunneling Protocol) and L2TP/IPSec. The first 'PPTP' is the
simplest amongst the two and easier to setup. But as compared to L2TP/IPSec, it
is less secure and hence organizations go for the second option. The reason
being, for PPTP the authentication process is not done over secured connections
hence credentials can be lost to hackers and thus they can have access to the
VPN server. The secure connection is setup only after the authentication is
done. In the case of L2TP/IPSec, before the user credentials are sent to the VPN
server for authentication, a secure IPSec session is established between the
client and server. Hence making it more difficult for hackers to break. Moreover
L2TP/IPSec provide mutual machine authentication, where the local machine should
have a certificate issued by proper authority.
There's a new type of VPN connection introduced with Windows Server 2008,
which is also supported by Windows Vista SP1, called 'SSTP' (Secure Socket
Tunneling protocol). It uses SSL HTTP connection to connect to the VPN server at
your workplace. The reason behind introducing this new VPN connection is that it
uses TCP port 443 which is by default open in almost all firewalls. Hence if you
are in some hotel or any public place where a lot of Zports are blocked, even
then you will not find any difficulty in connecting to your corporate network.
And also the network administrator needn't worry about allowing a particular
port in the firewall specifically for you.
Now, let's enable VPN on Windows Server 2008 system.
Enabling VPN on Windows Server 2008
For this article, we assume that you have a system running Windows Server 2008.
Along with that you should have configured Active Directory, DNS and DHCP server
on that machine.
First start the Windows Server 2008 server manager, and click on 'add role'
option. Then click on Next button to proceed. Now a list of different server
roles will be listed; here, select 'Network Policy and Access Services' option
and click on Next. An information page will appear which shows you the
introduction of network policy and access services. Click on next to proceed
further. Next, in the 'Role services' option check the 'Remote and Routing
Access Services.' Then it will ask for the confirmation of components that are
going to be installed on the system; click on the install button to start the
installation process. Once installation is complete click on Finish to exit the
wizard.
Configuring the VPN
After the installation is over, configure the VPN to make it work according to
your requirements. To configure the VPN, open the Server Manager console and
expand the role node found on the left side. From the list of roles installed on
the system expand the 'Network policy and Access' node. Then right click on
'Routing and Remote Access' and then click on 'configure and enable routing and
remote access' option, which starts up a wizard to configure the VPN server.
As the wizard starts, click on Next to proceed. Select the 'Remote Access'
option which will enable the remote client to connect via dial up or via VPN,
and click on the Next. For VPNs, check the VPN check box which will enable the
server to accept remote connection from client through Internet. Make sure you
have two NICs else Windows Server 2008 will prompt with an error message and the
wizard will exit. Next select 'Remote Access' option and then click on Next
again. Now check the 'VPN' check box. Then select the NIC on which the system
connects to the Internet; in other words, through which the remote client will
connect. Select the appropriate NIC. Next you have two options: first the system
will automatically assign IP to the remote client and second, is that you can
specify the IP range, i.e. you limit the number of users connected through VPN.
We choose the second option and provide the range of IPs by clicking on the New
button in the next step. If you have a Radius server then you can setup
authentication using it else choose the second option, ie using Routing and
Remote Access to authenticate request. Once, the configuration is over, click on
the Finish button to exit the wizard.
On Windows server 2008, open the Service Manager. On the left panel, right click on the role node and click on 'Add role' option. |
Connecting to VPN Server
Once the configuration is over, we will connect a remote client to it. We tried
connecting with a Windows Vista-based machine, which was pretty simple. First
open up control panel and navigate to the network and sharing center. Then click
on 'setup a connection or network link, and a wizard opens up. Choose the option
'connect to a workplace'. Next it prompts you for network address and
destination name; specify a name for the VPN connection and then specify the IP
address of the VPN server. Next it will prompt you for user credentials. Provide
the username and password for logging into the VPN server and then click on
Connect. Finally it that you are connected to the network and the VPN server
specifies an IP to your machine. Windows Vista will prompt you to choose the
location of the network and to configure the firewall accordingly for the new
network. Choose work from the list of the options and click on the Continue
button. And finally close the wizard.
Now you will be able to access all the authorized internal network resources
and can work from anywhere of the globe (provide you have Internet).
A role installation wizard starts up. Here, check the 'Network Policy and Access Service' option from the list of roles. |
Implementing OpenVPN
OpenVPN is a open source and free VPN solution, which can be implemented on
Windows or Linux machine. The configuration of OpenVPN is not too complex as
compared to Window machine. The pre-requisite for OpenVPN is that the system
must be Windows 2000 or higher. And in case of Linux system, they must have
support for TUN/TAP driver, openssl libraries and LZO compression library.
Select 'Remote Access' and click on next. Now |
Installing OpenVPN
We installed OpenVPN on Fedora 10 machine without any hassle. For installing
OpenVPN, run the following command on terminal with root privilege:
#yum install openvpn
It will automatically handle all the dependency issue and install OpenVPN. If
the clients are also running on Fedora 10, there is a OpenVPN integration module
available for GNOME network manager, which provides graphical interface for
remote clients to connect to the VPN server at the workplace. For installing the
the OpenVPN module for network manager, run the following command:
#yum install NetworkManager-openvpn
Here, RRAS configuration wizard asks you to |
Creating Certificate
Once the installation is done it's time to configure the OpenVPN to suit your
requirements. Check if the OpenVPN is running properly by starting the OpenVPN
daemon. Now stop the OpenVPN daemon, and copy all the files under '/usr/share/openvpn/easy-rsa/2.0/'
to '/etc/openvpn/'. Now open the file 'vars' and change the values of the
following as per your requirement. This file will be used to create
certificates, which will be used both by client and server.
export KEY_COUNTRY="IN"
export KEY_PROVINCE="ND"
export KEY_CITY="DELHI"
export KEY_ORG="PCQUEST"
export KEY_EMAIL="xyz@pcquest.com"
Also you can change the path of the folder where all the keys will be
generated, by modifying the following line:
export KEY_DIR="/etc/openvpn/keys" # in our case its
inside the openvpn directory
After you have modified the 'vars' file, navigate to '/etc/openvpn/'
directory, and run the following command for generating certificate for sever
and clients:
#./vars
#./clean-all
#./build-ca
The clean-all command clears all the existing (if any) from the 'keys'
directory, residing inside '/etc/openvpn/' and build-ca creates a certificate
named ca.crt and a key file named ca.key. In the process of creation, it asks
for some detail which we have already feeded in the 'vars' file, so just press
enter when asked.
Next, we create a certificate and key for the VPN server which resides at
your organization, for which, run the following command:
#./build-key-server vpnserver1
You can replace 'vpnserver1' with any logical name or hostname. Similar to
the certificate creation process, the build-key-server process will also ask
some questions which are already feeded in the vars file. Hence just press
'Enter', and provide a suitable password. Else you can leave it blank also. Then
it asks you to sign the certificate, for which press 'Y'.
Next we create certificate and key for client, by running the following command:
#./build-key vpnclient1 #replace vpnclient1 with
any logical name of hostname you prefer
Here, you have two options to give IP address |
Similar to the server certificate creation, this process also asks questions.
Just press 'Enter' for the default values and when asked for the 'Common Name',
verify that it has taken 'vpnclient1'. If not, provide the common name with any
logical or host name of the machine. Once the process is complete, certificate
and key for one client will be generated. If you want more then one client to
connect to the VPN server, then repeat the client certificate creation process
for creating unique certificates for each of the client. Now run the following
command to create '.pem' file:
#./build-dh
Configuring OpenVPN
Next copy the server.conf file from '/usr/share/doc/openvpn/sample-config-files'
folder to '/etc/openvpn/' and open the file with text editor. Find and change
the following in server.conf file:
ca keys/ca.crt
cert keys/vpnserver1.crt
key keys/vpnserver1.key
dh keys/dh2048.pem
log openvpn.log
In the above code, we provided correct path for ca, cert, key and pem files
which will be used by OpenVPN and next we have also told OpenVPN to create a log
file inside the OpenVPN directory. If you do not prefer to use the syslog.
Finally start the OpenVPN server, by executing the following command:
#/etc/init.d/openvpn start
On fedora, right click on the network |
Client Configuration
Now let's see how to configure client to connect to the organization's VPN
server. First copy vpnclient1.crt, vpnclient1.key and ca.crt to the client
machine from the server, where we have created the client certificate.
Then click on the 'GNOME' network manager and select 'VPN Connections', and
then click on 'Configure VPN' option. For creating a new VPN connection, click
on 'Add' button and choose 'OpenVPN' from the drop down list. Next click on
'Create' button. A new window will open up asking necessary details. Give a
suitable name for the VPN connection such as 'Connecttoserver'.
Provide authority certificate, clients |
In the gateway option, provide the address of the VPN server where we have
configured the OpenVPN server. Next in the user certificate option, provide the
file 'vpnclient1.crt', in the CA certificate option, provide file ca.crt, and in
the private key option provide 'vpnclient1.key'. Then specify the password and
click on 'Apply.' Finally everything is configured and ready to go.
Now click on the GNOME network manager, select VPN connections and click on
the 'Connecttoserver' option. Wait for couple of seconds and you are now
connected to the VPN server. Now type out 'ifconfig' on the terminal of your
system, you will find that you have, IP 10.8.0.6, for example.